ModSecurity Inbound Anomaly Score Exceeded
Hello,
I have some questions about ModSecurity.
I have this email:
Time: Tue Aug 29 17:56:39 2017 +0200
IP: [Removed]
Failures: 10 (mod_security)
Interval: 3600 seconds
Blocked: Permanent Block
Log entries:
[Tue Aug 29 17:56:34.795036 2017] [:error] [pid 10514] [Removed] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"> [line "30"> [id "949110"> [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"> [severity "CRITICAL"> [tag "application-multi"> [tag "language-multi"> [tag "platform-multi"> [tag "attack-generic"> [hostname "HOSTNAME.DOMAIN"> [uri "/"> [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY">
What does it mean? My CSF firewall blocked this ip permanently. Is this real attack? Or i have missconfigured something? I have enabled all modsecurity rules i do shared hosting on this host we have clients with some CMS installed. Some static pages, etc...
I searched IP [Removed] at clients but i found nothing like this IP.
-
Hello, The message suggests one of your OWASP Mod_Security rules blocked an access request. You can see more information about that rule ID 949110 at: owasp-modsecurity-crs/REQUEST-949-BLOCKING-EVALUATION.conf at v3.0/master " SpiderLabs/owasp-modsecurity-crs " GitHub Here's a recent thread with discussion of troubleshooting this type of issue that you may find helpful: ModSec shows security scanner scanning 127.0.0.1 Thank you. 0 -
Thank you but what does it mean? I need disable some rules or is all settings good and this is real attack? I have fear if is it not blocking IP addresses of potencial customers or clients of some webpages... 0 -
I see the the 10 log entries (has been edited now to only 1 log entry) from the csf email (csf copied them from your Apache error_log file) as indicating a number of things. Firstly about your server setup. - ]
- Modsecurity is functioning (thats a good thing)
- Modsecurity has a functioning rule set. (OWASP3 cPanel's curated owasp crs version 3.0.0) (that's a good thing)
- Modsecurity is writing 403 hits to apache's error_log file (thats a good thing)
- csf is configured to parse apache's error_log for the phrase "Access denied with code 403" and count the hits for each ip. (thats a good thing)
- cfs is adding ips to its permanent block list when they exceed the rate configured (in your csf configuration file) for your server. 10 x requests with 403 response in 1 hour per ip in your case (thats a good thing)
- ]
- Each of the errors logged has a different [unique_id "WaWOsqtPbXT0HgjokYeQUAAAAAY">. This confirms that are if fact 10 separate requests.
- They all occur between the times 17:56:33.536893 and 17:56:34.795036, that is a space of 1.3 seconds. That looks like the fingerprint a vulnerability scanner, but you don't really know if you don't look at your logs to see what the requests actually were.
- Each request had [msg "Inbound Anomaly Score Exceeded (Total Score: 8)">, which means each request hit 2 other high scoring rules before it got to rule 949110. These details are in your modsec_audit.log. Details about how to find them is in the post cPanel Micheal linked to.
0
Please sign in to leave a comment.
Comments
3 comments